A DNS over HTTPS resolver for glibc
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.

README

                     _   _
 _ __  ___ ___      | |_| |___
| '_ \/ __/ __|_____| __| / __|
| | | \__ \__ \_____| |_| \__ \
|_| |_|___/___/      \__|_|___/

Motivation
==========

Unlike most web browser traffic, which is encrypted thanks to HTTPS, the
resolving of domain names to internet addresses still happens through DNS, an
old, unencrypted protocol. This benefits analytics companies, advertisers,
internet providers and attackers, but not the end-user, who seeks online
privacy and security.

Overview
========

nss-tls is an alternative name resolving library for Linux
(http://www.kernel.org/) distributions with glibc
(https://www.gnu.org/software/libc/).

It performs encrypted name lookup over HTTPS through 1.1.1.1
(https://developers.cloudflare.com/1.1.1.1/dns-over-https/).

The name resolver can be configured through nsswitch.conf(5) to use nss-tls
instead of the DNS resolver, or fall back to DNS when nss-tls fails.

This way, all applications that use the standard resolver API (getaddrinfo(),
gethostbyname(), etc'), are transparently migrated from DNS to encrypted means
of name resolving, with zero application-side changes and minimal resource
consumption footprint. However, nss-tls does not deal with applications that use
their own, built-in DNS resolver.

Architecture
============

nss-tls consists of two parts:
  - nss-tlsd runs in the background and receives DNS resolving requests over a
    Unix socket.
  - libnss_tls.so is a tiny client library which delegates the resolving work to
    nss-tlsd through the Unix socket and passes the results back to the
    application. This way, applications that take advantage of nss-tls are not
    affected by the complexity and the resource consumption of the libraries it
    depends on, or the constraints they impose on applications that use them.

Dependencies
============

nss-tls depends on:
  - glibc (https://www.gnu.org/software/libc/)
  - GLib (https://wiki.gnome.org/Projects/GLib)
  - libsoup (https://wiki.gnome.org/Projects/libsoup)
  - JSON-GLib (https://wiki.gnome.org/Projects/JsonGlib)

If systemd (https://www.freedesktop.org/wiki/Software/systemd/) is present,
the installation of nss-tls includes a unit for nss-tlsd.

nss-tls uses Meson (http://mesonbuild.com/) as its build system.

On Debian (http://www.debian.org/) and derivatives, these dependencies can be
obtained using:

  1) apt install libglib2.0-dev libsoup2.4-dev libjson-glib-dev ninja-build
                 python3-pip
  2) pip3 install meson

Usage
=====

Assuming your system runs systemd
(https://www.freedesktop.org/wiki/Software/systemd/):

  1) meson --prefix=/usr --buildtype=release -Dstrip=true build
  2) ninja -C build install
  3) systemctl daemon-reload
  4) systemctl enable nss-tlsd
  5) systemctl start nss-tlsd
  6) ldconfig
  7) Add "tls" to the "hosts" entry in /etc/nsswitch.conf, before "dns" or
     anything else that contains "dns" in its name

Performance
===========

DNS over HTTPS is much slower than DNS. Therefore, it is recommended to enable
cache of name lookup results. nscd(8) can do that.

To enable DNS cache on Debian (http://www.debian.org/) and derivatives:

  1) apt install unscd
  2) Set "enable-cache" for "hosts" to "yes" in /etc/nscd.conf
  3) systemctl enable unscd
  4) systemctl start unscd

Legal Information
=================

nss-tls is free and unencumbered software released under the terms of the GNU
Lesser General Public License as published by the Free Software Foundation;
either version 2.1 of the License, or (at your option) any later version
license.

nss-tls is not affiliated with 1.1.1.1 or
Cloudflare (https://www.cloudflare.com/).

The ASCII art logo at the top was made using FIGlet (http://www.figlet.org/).